\documentclass[a4paper,10pt]{article}

\usepackage[utf8]{inputenc}
\usepackage{amsmath}
\usepackage{fancyhdr} % package for ``fancy'' headers and footers
\usepackage{vmargin}
%\setpapersize{A4}
\setmarginsrb{3cm}{1cm}{3cm}{2cm}{1cm}{1cm}{1cm}{1cm}
\usepackage{graphicx} % for graphic import
\usepackage{nameref}
\usepackage{hyperref}

% Set header and footer
\renewcommand{\headrulewidth}{2pt}
\renewcommand{\footrulewidth}{\headrulewidth}


\newlength{\blackoutwidth}
\newcommand{\blackout}[1]
{%necessary comment
\settowidth{\blackoutwidth}{#1}%necessary comment
\rule[-0.3em]{\blackoutwidth}{1.125em}%necessary comment
}

% stuff for left, centre and right header and footer
\lhead{\textbf{Research Proposal}}
\chead{}
\rhead{\thepage}
\cfoot{}
\rfoot{\textit{Jan 10, 2014}}


\pagestyle{fancy} % use "fancy" page style for all document pages

\title{\textbf{Detecting routing anomalies with RIPE Atlas Traceroute data}}
\author{\textit{Todor Yakimov}}
\date{Jan 10, 2014}

\begin{document}
\maketitle
\thispagestyle{fancy} % force "fancy" page style on this page

\section{Introduction}

Intentional routing anomalies have become a pervasive occurrence on the Internet. With strong evidence of their presence, numerous circumvention approaches have been examined~\cite{2}~\cite{6}, most of which share similar features and shortcomings dictated by the architectural realities of Today's Internet. Illegitimate routing anomalies fall within three broad categories~\cite{2} - hijacking a prefix, hijacking a prefix and its Autonomous System (AS) and hijacking a subnet of a prefix. All of them stem from the operational characteristics of the Internet's control plane, namely Border Gateway Protocol (BGP)~\cite{5}. By 
exploiting the shortcomings of BGP security and establishing malicious peering relationships and prefix announcements, such routing anomalies strive to disrupt normal operations on the Internet by misdirecting the network traffic of a prefix towards an unintended destination. Depending on the type of anomaly, malicious parties can remain completely invisible to their victims and inspect or modify their network traffic at will.


The detection of such activity on the Internet primarily relies on a combination of data originating from BGP routing tables, network traceroutes and fingerprinting end-systems part of supposedly hijacked prefixes~\cite{1}~\cite{2}. Due to the vastness of BGP routing tables and the inability to track each individual BGP speaker, it is almost impossible to rely solely on control plane information, and therefore data-plane probing with tools such as traceroute is required as well. Traceroute gathers data about each intermediate device in a network path by utilising Time-To-Live (TTL) fields part of the Internet Protocol (IP) specification. The tool provides useful insight about traversed IP addresses, their Round-Tripe-Time delays and Autonomous Systems by retrieving data from Internet Routing Registry (IRR) databases. A serious limitation with data-plane probing is the amount of vantage points in the probing system. Effectively detecting prefix hijacking, requires a fair amount of vantage points, offering a view of the hijacked prefix both close to its originating AS (the victim AS) as well as close to the destination AS (the attacker AS). The iSPY system~\cite{4}, utilises the generic capabilities of vantage points part of the PlanetLab research network. At current, PlanetLab offers 1175 nodes at 564 sites.

Ripe NCC, Europe's Internet numbering registry, is currently testing a new global measurement framework titled RIPE Atlas~\cite{7}. Atlas is comprised of a collection of lightweight probes capable of performing four main measurements - IPv4/6 Ping, Traceroute, DNS lookup and HTTP SSL GET CERT. At current, the system is aimed primarily at providing valuable insight into the operational characteristics of RIPE NCC's own systems, namely managing DNS root instances or checking whether previously reserved address ranges such as 128.0.0.0/8 are being filtered, amongst other usages. As of the time of writing this proposal, the system has more than 4,500 fully active probes dispersed in 132 countries covering a total of 1867 IPv4 ASs and 596 IPv6 ASs, therefore the system provides a far larger geographic coverage than those used by the iSPY system. In addition, Atlas provides a way of establishing User-Defined Measurements (UDM) and keeps a historical archive of all previously conducted measurements. UDMs are governed by a credit system - a user is granted credits based upon the uptime of his own probe(s) and can use the collected credits for scheduling network tests by utilising all other probes part of the testbed. Atlas has quickly outgrown PlanetLabs measurement network, and therefore it is a viable candidate to be used in the detection of IP hijacking, albeit lacking the generic capabilities of probes(such as nmap OS fingerprinting) part of PlanetLab's network.

\newpage 

\subsection{Research questions}

The main research question of the project follows:
\\
\\
\textit{"Is it possible to detect routing anomalies in the Internet's control plane by relying on traceroute data from RIPE Atlas probes?"}
\\
\\
Specifically saying:
\\
\\
\textit{"Is it possible to detect filtering, MitM(Man-in-the-Middle) routing attacks, eavesdropping or simply routing policy changes by relying on datamining of Atlas's historical traceroute archives or by using newly-defined active measurements?"}
\\
\\
And,
\\
\\
\textit{"What other datasets are needed to complement data obtained from RIPE Atlas in the process of accurately detecting the aforementioned Internet routing anomalies?"}


\subsection{Related work}

Various studies have been conducted by the academic community in the direction of detecting routing anomalies and accurate AS-level traceroutes~\cite{1}~\cite{3}. As signalling information such as the routes taken by BGP update propagation and AS peerings can be vastly different from the routes taken in the data plane by packets, such studies are of utmost importance to ISPs and their upstream providers when performing troubleshooting. The atomic components of such existing systems rely on datasets obtained from different administrative parties and therefore it usually takes a lot of time to obtain all needed data for performing a concise detection. Previous work on the topic has relied on evaluating BGP routing updates alone, by tracking occurrences of short-lived updates, however such detection suffers from a lot of false positives resulting from legitimate reasons why seemingly anomalous routing updates occur such as human error, transit BGP peering relationships with static links or Multipe Origin AS (MOAS)~\cite{x} anycasting. Other systems, incorporate additional steps such as end-systems scanning (fingerprinting), which allows researches to establish a map of network devices that can be used for further enforcing results on whether a particular prefix or AS has been hijacked. The main paradigm in such studies is the fact that there should be differences in terms of hosts and their attributes present in the victim's network as opposed to that of the hijacker.

\section{Scope}

RIPE Atlas is a continuously growing measurement network that provides the capability of issuing User-Defined Measurements. All such conducted measurements are stored in a public archive. Two interesting cases arise with such a system. First, the project strives to examine whether Atlas historical traceroute data can be examined, aggregated and related to known Internet anomalies. Second, after a relationship inbetween RIPE Atlas data and other external supporting datasets such as BGP routing tables has been established, whether Atlas active traceroute measurements are useful in the process of detecting anomalies as they are happening. The project will examine in-depth whether Atlas datasets are usable in both scenarios.

\newpage

\section{Approach}

The work will be logically divided into three phases:

\subsection{Phase 1 - Literature study}

Throughout the phase, current approaches to detecting Internet anomalies will be studied with a stress on:

\begin{itemize}
    \item Literature study of previously devised detection frameworks
    \item The inner workings of BGP, AS peering, RIPEStat tools and datasets
    \item RIPE Atlas usage
\end{itemize}

\subsection{Phase 2 - System design}

Test probes from RIPE Atlas will be obtained and further studied. The capabilities of the overall measurement framework will be studied in a hands-on approach. Conclusions on what other datasets are needed will be established, such as RIPE NCC BGP looking glasses and AS peering relationships.

\subsection{Phase 3 - Evaluation}

Work carried out throughout the previous phases aims to instrument the usage of RIPE Atlas for Internet anomaly detection. With this in place, during the remaining time,  attention will be given as to how effective the resulting modifications are in the context of a system that performs detection only by using centralised data from RIPE NCC's measurement tools. In addition, work on the final paper will be carried out.


\section{Requirements}

A necessity to the project is access to RIPE Atlas probes. Access to existing probes will be granted by project supervisors. In addition, access to a user profile with sufficient credits for performing UDMs will be granted.

\section{Planning}

\begin{tabular}{ | l | l | l | p{5cm} |}
\hline
Date & Task \\ \hline
Week 1 & Phase 1 - Orientation \& Literature study\\ \hline
Week 2 & Phase 2 - System design\\ \hline
Week 3 & Phase 3 - Evaluation\\ \hline
Week 4 & Finishing final paper and work on the presentation \\ \hline
\end{tabular}

\newpage

\begin{thebibliography}{10}

\bibitem{x} Xiaoliang Zhao, Dan Pei, Lan Wang, Dan Massey, Allison Mankin,
S. Felix Wu, and Lixia Zhang,
``An analysis of BGP multiple origin AS (MOAS) conflicts'',
in Proc. Internet Measurement Workshop, November 2001

\bibitem{1} Mao, Z.M. and Johnson, D. and Rexford, J. and Wang, J. and Katz, R.,
``Scalable and accurate identification of AS-level forwarding paths'',
INFOCOM 2004. Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies

\bibitem{2}Xin Hu and Mao, Z.M.,
``Accurate Real-time Identification of IP Prefix Hijacking'',
Security and Privacy, 2007. SP '07. IEEE Symposium

\bibitem{3} H. Ballani, P. Francis, and X. Zhang.,
``A Study of Prefix Hijacking and Interception in the Internet'',
In Proc. ACM SIGCOMM, August 2007

\bibitem{4} Zheng Zhang and Ying Zhang and Hu, Y.C. and Mao, Z.M. and Bush, R.,
``iSPY: Detecting IP Prefix Hijacking on My Own'',
Networking, IEEE/ACM Transactions 2010

\bibitem{5}  D. McPherson, S. Amante, E. Osterweil,  D. Mitchell,
``Route-Leaks \& MITM Attacks Against BGPSEC'',
IETF Informational 2014 

\bibitem{7} https://atlas.ripe.net/

\bibitem{6} http://atlas.arbor.net/


\end{thebibliography}


\end{document}
